Most important points from PSD2
PSD2 (Payment Services Directive 2) is a European Union (EU) directive created to set a standard in the industry of online payments across the EU28/EEA.
The directive becomes part of each member state’s legislation from the 13thth of January 2018. It is an addition to the outdated PSD1 from 2007.
PSD2’s most important requirements for merchants are the following:
- New Surcharging
- Strong Customer Authentication
1. New Surcharging
PSD2 will regulate what types of payment cards can be surcharged. There are two distinct cases: consumer cards and business/corporate cards.
Consumer cards- payment cards (e.g. debit/credit etc.) issued to individuals for their own personal needs. The cards are linked to the individuals’ personal bank accounts. The cards are used to purchase consumer goods/services i.e. food, clothing, gym memberships etc.
Business/corporate cards- payment cards (e.g. debit/credit etc.) that are issued in the name of companies for business-related purchases. The cards are linked to the companies’ bank accounts. The cards are used to purchase business-related goods/services i.e. buy a company car, hire a freelancer etc.
1.1. Surcharging B2C transactions will be banned
It will not be allowed for merchants to surcharge customers paying with consumer cards in B2C transactions; meaning that the merchant may no longer pass on the fee to its customers.
This measure applies to:
- Consumer cards 1 from Visa, Mastercard, Dankort etc.
- Debit and credit cards
- Domestic and cross-border payments
- Online and physical shops
1.2. Surcharging B2B transactions will still be permitted
It will continue to be allowed for merchants to surcharge customers making payments with business or corporate cards 1 in B2B transactions.
What can I do about surcharging?
Importance of Visa and Mastercard
Despite the banning of surcharging consumer cards, accepting Visa & Mastercard payments across Europe is vital for business growth.
Non-cash payments in 2016 have increased by 8.5% in Europe.
According to the European Central Bank, in 2016 in Europe, 122 billion transactions were made using non-cash payments. 49%, or 59.6 billion, of these transactions were made using payment cards.
The value of the above transactions was 2.9 trillion Euros. A Nilson Report on 2016 discovered that these transactions were made:
- 66% with Visa
- 31% with Mastercard
- 3% with AMEX
- <1% other cards
Options to consider:
- See where cost savings can be made in your company
- Include the card payment fees in the total price of your products/services
2. Strong Customer Authentication
PSD2 promotes Strong Customer Authentication (SCA) in online payments by making Two-Factor Authentication (2FA) mandatory. However, do not worry, there is a transition period (keep on reading).
Authentication- the process of checking that the customer making a payment in your webshop is the rightful owner of the card used in the transaction.
2FA is performed by asking the person making the purchase for 1. the “something known” factor (i.e. card details and/or CVV etc.) and 2. the “something owned” factor:
- One-Time Password (OTP) (i.e. a series of text sent to the cardholder’s registered mobile device/e-mail)
- Biometric Feature (i.e. a fingerprint linked to the cardholder’s registered mobile device)
- Scanned QR Code (i.e. an on-screen QR code that needs to be scanned by the registered mobile device, using, for example, the Google Authenticator app)
NOTE. As a merchant, you do not have to do any programming or special implementation to request in your webshop the two factors for authentication. Clearhaus collaborates and exchanges information with your gateway and the cardholder’s issuing bank to provide your webshop with 2FA.
The benefits of 2FA are
- Customers are protected against theft
- You are protected against fraud- potential chargebacks
Although PSD2 becomes national law on the 13th of January 2018, there will be a transition period at least until November 2018. This means that merchants, issuers, and acquirers have the possibility of not applying 2FA within the transition period. The final deadline for the 2FA requirement is not certain yet, we will keep you updated on this issue.
Exemptions from the 2FA requirement
Recurring transactions (i.e.in the form of memberships, subscriptions etc.)3
Contactless electronic payment transactions at point of sale (POS) but:
- a single transaction cannot exceed 50 Euros
- the total amount of transactions cannot exceed 150 Euros or 5 consecutive transactions without authentication
Remote electronic payment transactions of low value4 but:
- a single transaction cannot exceed 30 Euros
- the total amount of transactions cannot exceed 100 Euros or 5 consecutive transactions without authentication
Customers accessing online the balance of their payment accounts linked to your webshop 5
Unattended terminals in road transport and parking
Payments to self (i.e. when the payer and the payee are the same entity with the same account at the acquirer)
To comply with the 2FA requirement from PSD2, the best option is to implement 3-D Secure6 or Apple Pay.
3-D Secure is a security feature developed jointly by Visa and Mastercard, among others, with the purpose of authenticating the cardholder linked to a purchase. 3-D Secure protects your business against fraud. It shifts the liability to the issuing bank.
Apple Pay is a secure mobile payment and digital wallet service. Customers can pay with their phones without having to enter card and personal information every time they want to make a purchase. The information is stored in the Wallet app.
Clearhaus offers support for 3-D Secure and Apple Pay transactions. See our features.
1 - Consumer cards part of the four-party scheme that are subject to the Interchange Fee Regulation.
The Interchange Fee Regulation is a EU directive which specifies the maximum fees that issuing banks (customers’ banks) can charge for offering services related to card transactions.
In principle, business and corporate cards are not subject to the Interchange Fee Regulation.
2 - The Regulatory Technical Standards was developed by the European Banking Authority together with the European Central Bank to discuss the technical aspects of PSD2.
3 - The first recurring transaction will need to be authenticated with 2FA.
4 - Payment transactions initiated on the internet or through a device that can be used for distance communication.
5 - The first time your customers access the balance of their payment accounts, 2FA must be applied. If there have been 90 days since your customers last accessed the balance of their accounts, 2FA will have to be applied again.
6 - 2FA from PSD2 requires at least 3-D Secure version 1.0.2 in order to fully comply.